[nsp-sec] Google to the WCP - Phishing -[Reply-To: wesu20 at gmail.com]
Gabriel Iovino
giovino at ren-isac.net
Wed Aug 4 10:22:35 EDT 2010
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello,
ksu.edu asked if I could pass the following email account along.
Reply-To: wesu20 at gmail.com
Apparently it has been used in Phishing attempts for two months and is
responsible for over 20 compromised accounts at ksu.edu.
Thanks
Gabe
- --
Gabriel Iovino
Principal Security Engineer, REN-ISAC
http://www.ren-isac.net
24x7 Watch Desk +1(317)278-6630
Sample email below:
> From: KSU Webmaster <webmaster at ksu.edu.tr>
> Date: June 12, 2010 1:33:32 PM CDT
> To: undisclosed-recipients:;
> Subject: KSU Account Verification
> Reply-To: wesu20 at gmail.com
> return-path: webmaster at ksu.edu.tr
> received: from 198.108.65.49 (LHLO ksu-mta06.merit.edu)
> (198.108.65.49) by ksu-mailstore01.merit.edu with LMTP; Sat, 12 Jun
> 2010 14:41:29 -0400 (EDT)
> received: from localhost (localhost.localdomain [127.0.0.1]) by
> ksu-mta06.merit.edu (Postfix) with ESMTP id 6FA6357D99; Sat, 12 Jun
> 2010 14:45:12 -0400 (EDT)
> received: from ksu-mta06.merit.edu ([127.0.0.1]) by localhost
> (ksu-mta06.merit.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP
> id FMMuCL8jx212; Sat, 12 Jun 2010 14:45:12 -0400 (EDT)
> received: from webserver.mca.gov.py (muni-edif.netvision.com.py
> [200.1.200.230]) by ksu-mta06.merit.edu (Postfix) with ESMTPS id
> 343CD57DAD; Sat, 12 Jun 2010 14:45:09 -0400 (EDT)
> received: from localhost (webmail.netvision.com.py [200.1.200.27]) by
> webserver.mca.gov.py (8.13.8/8.13.1) with ESMTP id o5CIW8G5009676;
> Sat, 12 Jun 2010 14:32:09 -0400
> received: from 201.217.49.57 ([201.217.49.57]) by
> webmail.netvision.com.py (Horde Framework) with HTTP; Sat, 12 Jun 2010
> 14:33:32 -0400
> x-virus-scanned: amavisd-new at ksu-mta06.merit.edu
> x-spam-flag: NO
> x-spam-score: -0.722
> x-spam-status: No, score=-0.722 tagged_above=-10 required=5
> tests=[AWL=1.877, BAYES_00=-2.599] autolearn=ham
> message-id: <20100612143332.16745x6c0ilj5rsw at webmail.netvision.com.py>
> mime-version: 1.0
> content-type: text/plain; charset=ISO-8859-1; DelSp="Yes"; format="flowed"
> content-disposition: inline
> content-transfer-encoding: 7bit
> user-agent: Internet Messaging Program (IMP) H3 (4.3.7)
> x-spamtest-envelope-from: webmaster at ksu.edu.tr
> x-spamtest-group-id: 00000000
> x-spamtest-info: Profiles 14160 [Jun 12 2010]
> x-spamtest-info: helo_type=10
> x-spamtest-info: {TO: undisclosed}
> x-spamtest-method: none
> x-spamtest-rate: 35
> x-spamtest-spf: softfail
> x-spamtest-status: Not detected
> x-spamtest-status-extended: not_detected
> x-spamtest-version: SMTP-Filter Version 3.0.0 [0284], KAS30/Release
> x-anti-virus: Kaspersky Anti-Virus for Sendmail with Milter API
> 5.6.20, bases: 20100612 #4261753, check: 20100612 clean
>
> Dear KSU Webmail User,
>
> Due to excess abandoned KSU Webmail Account, KSU Webmaster has decided
> to refresh the database and to delete inactive accounts to create
> space for fresh users. To verify your KSU Webmail Account, you must
> reply to this email immediately and provide the information below
> correctly:
>
> Email:
> Password:
> Verify Password:
>
> Failure to do this will immediately render your KSU Webmail Account
> deactivated from our system. KSU Webmail Database refreshing shall
> commence once a response is not received within 48hrs.
>
> Thanks You!
> KSU Webmaster
> KSU International
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkxZd6sACgkQwqygxIz+pTtlsgCcCPvMvGUJcHMGYvUi1flM8ZyA
qNMAn1DIJ1Nh6KHok2HjmZBPwNjix8aP
=6r3D
-----END PGP SIGNATURE-----
More information about the nsp-security
mailing list